Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Twitter "swine flu" worm

From: Rosario Valotta <valotta.rosario () gmail com>
Date: Sat, 14 Nov 2009 01:41:16 +0100
Hi, up to some days ago Twitter was affected by a vulnerability that allowed
the propagation of a worm what we like to call "twitter swine flu".
The vulnerability exploited by the worm was a simple Xss injected in an
error page, but what is worth noticing here is that the error page was not a
specific one, but was (and still currently is) raised when some unmanaged
Unicode chars were included in the URL.

When you try to call a specific URL and set the path or a querystring
parameter to string containing an unsupported Unicode value (for a complete
list see: http://unicode.org/charts/PDF/U0080.pdf) the webapp raised an
error page.

E.g.
http://twitter.com/%A2  -->  Invalid Unicode value in parameter user

http://twitter.com/testxss/%A2 --> Invalid Unicode value in parameter id

http://twitter.com/testxss/whatever/%A2 --> Invalid Unicode value in
parameter params

http://twitter.com/testxss?a=%A2 --> Invalid Unicode value in parameter a

No control was performed on valid path/parameter names.

Moreover, in the last example, the error page echoed the parameter name
without any sanitazion/encoding. This lead to XSS.

E.g.
If the url 
http://twitter.com/testxss?<script>alert('xss')</script>=%A2<http://twitter.com/testxss?%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E=%A2>was
called the error page was raised and, as no validation on parameter
name
is performed, the script was executed and an alert was raised.

The worm we developed is just a PoC that exploited this vulnerability and:

   - made the victim post arbitrary tweets
   - added followers to an attacker controlled account

A video of the PoC is available at:
http://sites.google.com/site/tentacoloviola/twitterhorror
and
http://www.matteocarli.com/2009/11/twitter-horror.html

The XSS issue in the error page has been patched by Twitter few days after
our disclosure.
The Unicode issue is still there.

Regards
Rosario Valotta + Matteo Carlo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: